{
  "threat_severity" : "Low",
  "public_date" : "2021-10-24T00:00:00Z",
  "bugzilla" : {
    "description" : "vim: heap-based buffer overflow vulnerability",
    "id" : "2018558",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2018558"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "vim is vulnerable to Heap-based Buffer Overflow" ],
  "statement" : "This flaw is marked as Low Impact because it requires a user to run an untrusted/malicious Vim script using the `-s` option at the command line. Untrusted Vim scripts should never be run as they can already execute arbitrary shell commands. The security issue raised by this flaw would be no worse than what is already possible when running untrusted Vim scripts.\nVim as shipped in Red Hat Enterprise Linux 8 is not affected by this flaw. The flaw is out of support scope for Red Hat Enterprise Linux 6 and 7.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9405",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "vim-2:8.2.2637-21.el9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9405",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "vim-2:8.2.2637-21.el9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/openshift-hive-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3903\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3903" ],
  "name" : "CVE-2021-3903",
  "mitigation" : {
    "value" : "Do not run untrusted vim scripts with -s {scriptin} as it is never safe to do so.",
    "lang" : "en:us"
  },
  "csaw" : false
}